Merge pull request #3275 from splunk/rdp_brute

patel-bhavin · web-flow · commit 5cabf436357f · 2025-02-11T10:27:04.000-08:00
RDP bruteforce - production!
diff --git a/data_sources/aws_cloudtrail_consolelogin.yml b/data_sources/aws_cloudtrail_consolelogin.yml
@@ -90,13 +90,13 @@ fields:
 - vendor_product
 - vendor_region
 example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "accountId":
-  "140429656527", "accessKeyId": "", "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"},
+  "111111111111", "accessKeyId": "", "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"},
   "eventTime": "2022-10-19T20:33:38Z", "eventSource": "signin.amazonaws.com", "eventName":
   "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "142.254.89.27", "userAgent":
   "Go-http-client/1.1", "errorMessage": "No username found in supplied account", "requestParameters":
   null, "responseElements": {"ConsoleLogin": "Failure"}, "additionalEventData": {"LoginTo":
   "https://console.aws.amazon.com", "MobileVersion": "No", "MFAUsed": "No"}, "eventID":
   "9fcfb8c3-3fca-48db-85d2-7b107f9d95d0", "readOnly": false, "eventType": "AwsConsoleSignIn",
-  "managementEvent": true, "recipientAccountId": "140429656527", "eventCategory":
+  "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":
   "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
   "clientProvidedHostHeader": "signin.aws.amazon.com"}}'
diff --git a/data_sources/aws_cloudtrail_createvirtualmfadevice.yml b/data_sources/aws_cloudtrail_createvirtualmfadevice.yml
@@ -88,13 +88,13 @@ fields:
 - vendor_product
 - vendor_region
 example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
-  "140429656527", "arn": "arn:aws:iam::140429656527:root", "accountId": "140429656527",
+  "1111111111111111", "arn": "arn:aws:iam::1111111111111111:root", "accountId": "1111111111111111",
   "accessKeyId": "ASIASBMSCQHH2YXNXJBU", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
   {}, "attributes": {"creationDate": "2023-01-30T22:59:36Z", "mfaAuthenticated": "false"}}},
   "eventTime": "2023-01-30T23:02:23Z", "eventSource": "iam.amazonaws.com", "eventName":
   "CreateVirtualMFADevice", "awsRegion": "us-east-1", "sourceIPAddress": "23.93.193.6",
   "userAgent": "AWS Internal", "requestParameters": {"path": "/", "virtualMFADeviceName":
-  "strt_mfa_2"}, "responseElements": {"virtualMFADevice": {"serialNumber": "arn:aws:iam::140429656527:mfa/strt_mfa_2"}},
+  "strt_mfa_2"}, "responseElements": {"virtualMFADevice": {"serialNumber": "arn:aws:iam::1111111111111111:mfa/strt_mfa_2"}},
   "requestID": "2fbe2074-55f8-4ec6-ad32-0b250803cf46", "eventID": "7e1c493d-c3c3-4f4a-ae4f-8cdd38970027",
   "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
-  "140429656527", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'
+  "1111111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'
diff --git a/data_sources/aws_cloudtrail_describeeventaggregates.yml b/data_sources/aws_cloudtrail_describeeventaggregates.yml
@@ -84,7 +84,7 @@ fields:
 - vendor_product
 - vendor_region
 example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
-  "140429656527", "arn": "arn:aws:iam::140429656527:root", "accountId": "140429656527",
+  "1111111111111111", "arn": "arn:aws:iam::1111111111111111:root", "accountId": "1111111111111111",
   "accessKeyId": "ASIASBMSCQHHQQ6LB24V", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
   {}, "attributes": {"creationDate": "2023-01-31T21:58:17Z", "mfaAuthenticated": "true"}}},
   "eventTime": "2023-02-01T02:52:34Z", "eventSource": "health.amazonaws.com", "eventName":
@@ -93,5 +93,5 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip
   "filter": {"eventStatusCodes": ["open", "upcoming"], "startTimes": [{"from": "Jan
   25, 2023 2:54:32 AM"}]}}, "responseElements": null, "requestID": "d6adf050-1d7a-4c25-9d48-0319e33f6f9a",
   "eventID": "201cee69-61ab-4ffb-80b7-bd31e81e0d82", "readOnly": true, "eventType":
-  "AwsApiCall", "managementEvent": true, "recipientAccountId": "140429656527", "eventCategory":
+  "AwsApiCall", "managementEvent": true, "recipientAccountId": "1111111111111111", "eventCategory":
   "Management", "sessionCredentialFromConsole": "true"}'
diff --git a/data_sources/aws_cloudtrail_modifyimageattribute.yml b/data_sources/aws_cloudtrail_modifyimageattribute.yml
@@ -101,7 +101,7 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "ec2.amazonaws.com", "eventName": "ModifyImageAttribute", "awsRegion": "us-west-2",
   "sourceIPAddress": "72.135.245.10", "userAgent": "AWS Internal", "requestParameters":
   {"imageId": "ami-06dac31db29508566", "launchPermission": {"add": {"items": [{"userId":
-  "140429656527"}]}}, "attributeType": "launchPermission"}, "responseElements": {"requestId":
+  "1111111111111111"}]}}, "attributeType": "launchPermission"}, "responseElements": {"requestId":
   "84c431ce-6268-4218-aaf8-b4cdc1cd4055", "_return": true}, "requestID": "84c431ce-6268-4218-aaf8-b4cdc1cd4055",
   "eventID": "957e1b12-ea17-4006-aefd-20677ace72b8", "readOnly": false, "eventType":
   "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":
diff --git a/data_sources/kubernetes_audit.yml b/data_sources/kubernetes_audit.yml
@@ -54,7 +54,7 @@ fields:
 - user.username
 - userAgent
 - verb
-example_log: '{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"582c31ab-4906-49bb-9ff9-872f980ccb84","stage":"ResponseComplete","requestURI":"/apis/batch/v1/namespaces/test2/jobs?fieldManager=kubectl-create\u0026fieldValidation=Strict","verb":"create","user":{"username":"k8s-test-user","uid":"aws-iam-authenticator:591511147606:AROAYTOGP2RLFHNBOTP5J","groups":["system:authenticated"]},"sourceIPs":["176.95.188.101"],"userAgent":"kubectl/v1.27.2
+example_log: '{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"582c31ab-4906-49bb-9ff9-872f980ccb84","stage":"ResponseComplete","requestURI":"/apis/batch/v1/namespaces/test2/jobs?fieldManager=kubectl-create\u0026fieldValidation=Strict","verb":"create","user":{"username":"k8s-test-user","uid":"aws-iam-authenticator:111111111111:AROAYTXXXXXXHNXXXXX","groups":["system:authenticated"]},"sourceIPs":["176.95.188.101"],"userAgent":"kubectl/v1.27.2
   (darwin/arm64) kubernetes/7f6f68f","objectRef":{"resource":"jobs","namespace":"test2","apiGroup":"batch","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Failure","message":"jobs.batch
   is forbidden: User \"k8s-test-user\" cannot create resource \"jobs\" in API group
   \"batch\" in the namespace \"test2\"","reason":"Forbidden","details":{"group":"batch","kind":"jobs"},"code":403},"responseObject":{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"jobs.batch
diff --git a/detections/deprecated/remote_desktop_network_bruteforce.yml b/detections/deprecated/remote_desktop_network_bruteforce.yml
@@ -0,0 +1,59 @@
+name: Remote Desktop Network Bruteforce
+id: a98727cc-286b-4ff2-b898-41df64695923
+version: 7  
+date: '2025-01-10'
+author: Jose Hernandez, Bhavin Patel, Splunk
+status: deprecated
+type: TTP
+description: The following analytic has been deprecated in favor of "Windows Remote Desktop Network Bruteforce Attempt". The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. This query detects potential RDP brute force attacks by identifying source IPs that have made more than 10 successful connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity.
+data_source:
+- Sysmon EventID 3
+search: >-
+  | tstats `security_content_summariesonly` count, min(_time) as firstTime, max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=rdp OR All_Traffic.dest_port=3389) AND All_Traffic.action=allowed by All_Traffic.src, All_Traffic.dest, All_Traffic.dest_port All_Traffic.user All_Traffic.vendor_product 
+  | `drop_dm_object_name("All_Traffic")` 
+  | eval duration=lastTime-firstTime 
+  | where count > 10 AND duration < 3600 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `remote_desktop_network_bruteforce_filter`
+how_to_implement: You must ensure that your network traffic data is populating the Network_Traffic data model. Adjust the count and duration thresholds as necessary to tune the sensitivity of your detection.
+known_false_positives: RDP gateways may have unusually high amounts of traffic from all other hosts' RDP applications in the network.Any legitimate RDP traffic using wrong/expired credentials will be also detected as a false positive.
+references:
+- https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack
+- https://www.reliaquest.com/blog/rdp-brute-force-attacks/
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: RDP brute force attack on $dest$
+  risk_objects:
+  - field: dest
+    type: system
+    score: 25
+  threat_objects: [] 
+tags:
+  analytic_story:
+  - SamSam Ransomware
+  - Ryuk Ransomware
+  - Compromised User Account
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1110.001
+  - T1110
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
diff --git a/detections/endpoint/windows_bitlockertogo_process_execution.yml b/detections/endpoint/windows_bitlockertogo_process_execution.yml
@@ -1,10 +1,10 @@
 name: Windows BitLockerToGo Process Execution
 id: 68cbc9e9-2882-46f2-b636-3b5080589d58
-version: 2
+version: 3
 date: '2025-01-21'
 author: Michael Haag, Nasreddine Bencherchali, Splunk
 data_source:
-- Sysmon Event ID 1
+- Sysmon EventID 1
 - Windows Event Log Security 4688
 type: Hunting
 status: production
diff --git a/detections/endpoint/windows_disable_or_stop_browser_process.yml b/detections/endpoint/windows_disable_or_stop_browser_process.yml
@@ -1,10 +1,10 @@
 name: Windows Disable or Stop Browser Process
 id: 220d34b7-b6c7-45fe-8dbb-c35cdd9fe6d5
-version: 2
+version: 3
 date: '2024-11-13'
 author: Teoderick Contreras, Splunk
 data_source:
-- Sysmon Event ID 1
+- Sysmon EventID 1
 type: TTP
 status: production
 description: The following analytic detects the use of the taskkill command in a process
diff --git a/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml b/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml
@@ -16,22 +16,9 @@ description: The following analytic detects suspicious modifications to the Even
   viewing, ingesting and interacting event logs.
 data_source:
 - Sysmon EventID 13
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\Services\\Eventlog\\*"
-  AND Registry.registry_value_name=CustomSD BY Registry.dest Registry.registry_value_data
-  Registry.action Registry.process_guid Registry.process_id Registry.registry_key_name
-  Registry.user Registry.registry_value_name Registry.registry_path | `drop_dm_object_name(Registry)` | where
-  isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
-  | `windows_new_custom_security_descriptor_set_on_eventlog_channel_filter`'
-how_to_implement: To successfully implement this search, you must be ingesting data
-  that records registry activity from your hosts to populate the endpoint data model
-  in the registry node. This is typically populated via endpoint detection-and-response
-  product, such as Carbon Black or endpoint data sources, such as Sysmon. The data
-  used for this search is typically generated via logs that report reads and writes
-  to the registry. If you are using Sysmon, you must have at least version 2.0 of
-  the official Sysmon TA. https://splunkbase.splunk.com/app/5709
-known_false_positives: None identified, setting up the "CustomSD" value is considered
-  a legacy option and shouldn't be a common activity.
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path= "*\\Services\\Eventlog\\*" AND Registry.registry_value_name=CustomSD BY Registry.dest Registry.registry_value_data Registry.action Registry.process_guid Registry.process_id Registry.registry_key_name Registry.user Registry.registry_value_name Registry.registry_path | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_custom_security_descriptor_set_on_eventlog_channel_filter`'
+how_to_implement: To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. If you are using Sysmon, you must have at least version 2.0 of the official Sysmon TA. https://splunkbase.splunk.com/app/5709
+known_false_positives: None identified, setting up the "CustomSD" value is considered a legacy option and shouldn't be a common activity.
 references:
 - https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/set-event-log-security-locally-or-via-group-policy
 - https://attack.mitre.org/techniques/T1562/002/
diff --git a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml
diff --git a/detections/network/remote_desktop_network_bruteforce.yml b/detections/network/remote_desktop_network_bruteforce.yml
diff --git a/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml b/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml
